2.2.5

[bk-cs]

New Commands

container-security

• Edit-FalconContainerRegistry
• Get-FalconContainerRegistry
• New-FalconContainerRegistry
• Remove-FalconContainerRegistry

discover

• Get-FalconDiscoverNetwork
• Get-FalconDiscoverRule
• Get-FalconDiscoverScan
• Get-FalconDiscoverScanner

falconx

• Receive-FalconMemoryDump

fwmgr

• Edit-FalconFirewallLocation
• Edit-FalconFirewallLocationSetting
• Get-FalconFirewallLocation
• New-FalconFirewallLocation
• Remove-FalconFirewallLocation
• Set-FalconFirewallLocationPrecedence

kubernetes-protection

• Get-FalconContainerAccount
• Get-FalconContainerAzureScript
• Get-FalconContainerAzureTenant
• Get-FalconContainerScript

Issues Resolved

• Issue [ BUG ] Import-FalconConfig only creates Windows FirewallGroup #283: Added platform during creation of FirewallGroup items when using Import-FalconConfig.
• Issue [ BUG ] Get-FalconQueue no longer reporting queued sessions #294: Modified the FQL query being used by Get-FalconQueue to account for an API change that made the
  previous query stop working.
• Issue [ BUG ] Get-FalconHorizonIom with All is not paginating properly #295: Added code to the sub-function Invoke-Loop inside Invoke-Falcon to strip all query parameters
  when paginating Get-FalconHorizonIom.
• Issue [ BUG ] Get-FalconAsset with -Include login_events does not add results for all assets #296: Updated Get-FalconAsset to ensure proper attachment of login_event results for each asset when
  using -Include login_event.
• Issue [ BUG ] Import-FalconConfig only creates Windows FirewallGroup #283: Modified New-FalconSensorUpdatePolicy to remove scheduler under settings when set as
  disabled to prevent errors when creating policies.

General Changes

• Updated reference policies for Compare-FalconPreventionPhase.
• Switched from using Write-Verbose to PSCmdlet.WriteVerbose() to increase content when using Verbose
  with commands.
• Added additional verbose message output when commands send their requests to display the endpoint being used.
• Added (local) timestamp at the beginning of verbose output messages through the creation of a Verbose function
  within class\Class.ps1 and the private function unnamed.
• Added Start-RtrUpdate and Stop-RtrUpdate functions to manage PowerShell background jobs to refresh
  Real-time Response sessions when using Invoke-FalconRtr or Invoke-FalconDeploy.
• Changed the Wait parameter for Invoke-FalconAdminCommand, Invoke-FalconBatchGet,
  Invoke-FalconCommand, and Invoke-FalconResponderCommand to wait until completion instead of a maximum of
  60 seconds.
• Added Wait-RtrCommand and Wait-RtrGet private functions when using Wait with Real-time Response
  commands.
• Streamlined some of the code of Write-Result to increase performance.
• Updated Get-RtrResult function (used by Invoke-FalconRtr and Invoke-FalconDeploy) to include properties
  that are blank in output. This will ensure that piping to CSV does not present problems when certain hosts
  respond with different properties (i.e. stderr on some results and not others).
• Ensured the Test-FqlStatement function was properly used with each command's Filter parameter.
• Slightly changed descriptions of commands to match how required permissions are labeled within the Falcon UI.
• Modified PSFalcon.psd1 to remove duplicate load of class\Class.ps1.

Command Changes

Confirm-FalconGetFile

• Corrected invalid ValidatePattern value for Id parameter.

Edit-FalconDetection

• Removed ignored as an option for Status to conform with API change.

Edit-FalconDeviceControlPolicy

• Added parameters to allow modification of custom notifications for the default Windows policy

Find-FalconDuplicate

• Added Platform parameter to filter by a specific platform when retrieving hosts (instead of providing a
  lists through the Hosts parameter).

Find-FalconHostname

• Raised filtered search group count from 20 to 100.

Get-FalconAsset

• Raised filtered search groups count from 20 to 100 when using -Include login_event.
• Added Application switch to search for applications inventoried by Falcon Discover.
• Added IoT switch to search for IoT assets inventoried by Falcon Discover.

Get-FalconContainerVulnerability

• Added Application parameter for filtering application packages.

Get-FalconDeviceControlPolicy

• Added parameters to allow retrieval of the default Windows policy with custom notifications

Get-FalconHorizonIoa

• Added parameter AccountId and removed Region.
• Set CloudPlatform as mandatory instead of generating an error when it was not included.

Get-FalconHorizonIom

• Updated to use new endpoints /detects/entities/iom/v2:get and /detects/queries/iom/v2:get.
• New parameter set includes typical parameters like Filter and Sort. Old parameters are no longer
  available, but similar functionality can be found using proper Filter statements.

Get-FalconHorizonPolicy

• Updated to use new /settings/entities/policy-details/v2:get endpoint when supplying an Id value.
• Removed Detailed switch because the base endpoint always returns detailed results.

Get-FalconHost

• Added policy_names as an option for Include to append policy_name under device_policies
  results (when possible).

Get-FalconRole

• Removed Detailed from command because all results have detailed information in the related parameter set.
• Added All and Total to relevant parameter set.

Get-FalconUser

• Raised filtered search groups count from 20 to 100 when using Username.

Get-FalconQueue

• Added HostId parameter to restrict queued session search to specific host identifiers.

Get-FalconZta

• Added Filter, Sort, Limit, After, Detailed, All, and Total parameters in support of new API
  endpoint GET /zero-trust-assessment/queries/assessments/v1.

Invoke-FalconDeploy

• Added Set-Location to force location to temporary directory when running executable on target host(s).
• Removed pipeline support for GroupId so that Invoke-FalconHostAction results could be piped through the
  HostId parameter.

Invoke-FalconRtr

• Added additional verbose output.
• Increased the default Timeout for session creation and command requests to 600 seconds when not defined.
• Updated to set a Timeout of 2 seconds less than defined Timeout for batch sessions (or 58 seconds if not
  defined) and 3600 seconds for single-host sessions when using runscript and not specifying Timeout inside
  Argument.
• Removed Select-Object code (which ensured all objects had the same final output) to greatly increase
  performance.
• Removed pipeline support for GroupId so that Invoke-FalconHostAction results can be piped through the
  HostId parameter.
• Added Sort-Object when generating list of Command values to ensure it's provided in alphabetical order.
• Added single quotes when using auto-complete for Command values that have a space.

New-FalconCompleteCase

• Updated to use new v2 API endpoint.

---

This discussion was created from the release 2.2.5.